HomeLatest ThreadsGreatest ThreadsForums & GroupsMy SubscriptionsMy Posts
DU Home » Latest Threads » Forums & Groups » Main » Latest Breaking News (Forum) » Oracle releases software ...
Introducing Discussionist: A new forum by the creators of DU

Sun Jan 13, 2013, 07:19 PM

 

Oracle releases software update to fix Java vulnerability

This discussion thread was locked as off-topic by OKNancy (a host of the Latest Breaking News forum).

Source: CNET

Oracle released an emergency software update today to fix a security vulnerability in its Java software that could give allow attackers to break into computers.

The update, which is available on Oracle's Web site, fixes a critical vulnerability in Oracle's Java 7 that could allow a remote, unauthenticated attacker to execute arbitrary code. The attack can be induced if someone visits a Web site that's been set up with malicious code to take advantage of the hole.

Oracle said the update modifies the way Java interacts with Web applications.

"The default security level for Java applets and web start applications has been increased from 'medium' to 'high," Oracle said in an advisory today. "This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the 'high' setting the user is always warned before any unsigned application is run to prevent silent exploitation."

Read more: http://news.cnet.com/8301-1009_3-57563730-83/oracle-releases-software-update-to-fix-java-vulnerability/

20 replies, 2880 views

Cannot reply in locked threads

Back to top Alert abuse

Always highlight: 10 newest replies | Replies posted after I mark a forum
Replies to this discussion thread
Arrow 20 replies Author Time Post
Reply Oracle releases software update to fix Java vulnerability (Original post)
UnrepentantLiberal Jan 2013 OP
agent46 Jan 2013 #1
William Seger Jan 2013 #3
high density Jan 2013 #10
tomm2thumbs Jan 2013 #2
UnrepentantLiberal Jan 2013 #4
Gore1FL Jan 2013 #6
UnrepentantLiberal Jan 2013 #9
PoliticAverse Jan 2013 #11
UnrepentantLiberal Jan 2013 #14
Zorro Jan 2013 #7
AllyCat Jan 2013 #13
Cynicus Emeritus Jan 2013 #5
radhika Jan 2013 #8
PoliticAverse Jan 2013 #12
radhika Jan 2013 #16
Earth Bound Misfit Jan 2013 #15
jsr Jan 2013 #17
happynewyear Jan 2013 #18
olddad56 Jan 2013 #19
OKNancy Jan 2013 #20

Response to UnrepentantLiberal (Original post)

Sun Jan 13, 2013, 07:22 PM

1. Doesn't sound like a fix to me n/t

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to agent46 (Reply #1)

Sun Jan 13, 2013, 07:53 PM

3. Nope

Lame....

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to agent46 (Reply #1)

Sun Jan 13, 2013, 09:59 PM

10. It sounds like they just added a prompt that people can click through to get infected anyway?

What a joke!

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Sun Jan 13, 2013, 07:43 PM

2. have disabled Java for now... I'll wait awhile and see

The list on that site doesn't give me confidence this is the end of it...

Current Version

Changes in 1.7.0_11

Earlier Versions

Changes in 1.7.0_10
Changes in 1.7.0_09
Changes in 1.7.0_07
Changes in 1.7.0_06
Changes in 1.7.0_05
Changes in 1.7.0_04
Changes in 1.7.0_03
Changes in 1.7.0_02
Changes in 1.7.0_01
Release Notes for the Original 1.7.0 Release



Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to tomm2thumbs (Reply #2)

Sun Jan 13, 2013, 07:57 PM

4. That's probably wise.

 

Oracle hasn't taken Java seriously. I wouldn't trust that patch.

Forget Oracle's Latest Java Patch. Just Kill The Program In Your Browser For Good

After months of inaction and even a warning from the Department of Homeland Security, Oracle has finally released a fix for yet another security vulnerability in its ubiquitous and notoriously buggy Java software. But there’s already been a fix available that’s remain simpler and far more effective: Kick your Java habit altogether.

Despite Oracle’s new patch, which the company posted to its website Sunday–more than four months after it was informed about the bug by Polish security firm Security Explorations–Java watchers in the security industry are recommending that users give up on the endless cycle of the program’s bugs and fixes and instead turn it off in their browsers for good. “Users should simply disable it,” says H.D. Moore, chief security officer at the security firm Rapid7 who has tested numerous Java exploitation techniques over the last year. “The amount of utility it offers is so much smaller than the risk it creates for users. It’s much safer to leave it off.”

-snip-

The bug was just the latest in a series that wracked Oracle for much of 2012. In August a flaw in the software, also reported months earlier by Security Explorations, was exploited by hackers installing malware including the Poison Ivy trojan on target PCs. When Oracle released a patch, Security Explorations quickly found another flaw in the fix that would allow the new security measures to be bypassed. And the company followed that revelation with the discovery of yet another critical bug in the program.

-snip-

Java in many ways goes against all the security trends that have made browsers harder to exploit in recent years. It still requires manual updates, despite several browsers’ moves to automatically download and install new versions of themselves. And despite modern browsers’ attempts to prevent websites from gaining access to a PC beyond a limited “sandbox,” Java can in many cases allow attackers to escape those restrictions, access the full hard disk and making network connections with remote servers. “The attack surface is so big,” Kandek says. “In many ways, you don’t want Java to be able to do all the things that it does anymore.”

More: http://www.forbes.com/sites/andygreenberg/2013/01/13/forget-oracles-latest-java-patch-just-kill-the-program-in-your-browser-for-good/

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Reply #4)

Sun Jan 13, 2013, 08:46 PM

6. Oracle hasn't taken Oracle seriously

It took them forever to produce (and certify) an Oracle client that worked in Windows 7.

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to Gore1FL (Reply #6)

Sun Jan 13, 2013, 09:50 PM

9. Today's CEOs are more interested cashing in than being productive.

 

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Reply #9)

Sun Jan 13, 2013, 10:52 PM

11. Cut Ellison some slack, it takes a lot of $$$ to have your own 140-sq mile island...

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to PoliticAverse (Reply #11)

Sun Jan 13, 2013, 11:37 PM

14. That was quite a purchace.

 

Now I want an island.

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Reply #4)

Sun Jan 13, 2013, 08:53 PM

7. Citrix requires Java

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to Zorro (Reply #7)

Sun Jan 13, 2013, 11:29 PM

13. Rats. I just unloaded Java completely.

But I every so often need to use Citrix for work...grrr!!! Not sure what to do.

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Sun Jan 13, 2013, 08:20 PM

5. Your loss of security is not worth a sacrifice of their profits

 

This is not being addressed on MSM. Why?. Cronyism?

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Sun Jan 13, 2013, 09:18 PM

8. Question: Is it enough to disable Java in my browser only?

I'm not sure I understand it enough. I've been infected twice, going insane trying to clean up and stay safe. Had to take it into the shop.

BTW: I got a pop-up from my Avira anti-virus advising they were now on top of things, but I honestly don't know what is a real message and what is a hoax.

(Using my old back up computer until this plague subsides)

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to radhika (Reply #8)

Sun Jan 13, 2013, 10:53 PM

12. Unless some program you use specifically needs java you can just uninstall it. n/t

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to PoliticAverse (Reply #12)

Mon Jan 14, 2013, 01:26 AM

16. Thanks, I think I will...can reinstall later if necessary n/t

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Mon Jan 14, 2013, 12:07 AM

15. I just installed Java 7 u11 in a Win 7 VM

went to Java's verification page to check if it installed correctly I got a...






wait for it....





wait for it....





Security Warning!!!



You can't make this stuff up!

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Mon Jan 14, 2013, 01:38 AM

17. To be followed by another software update to fix Java vulnerability

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)


Response to UnrepentantLiberal (Original post)

Mon Jan 14, 2013, 03:21 AM

19. Has anyone ever read the book entitled "The difference between God and Larry Ellision"?

the subtitle is "God doesn't think he is Larry Ellison".

The book deals not only with Larry's ginormas ego, but also the insanity of trying to work with Oracle's products in the earlier days. I started working with Oracle software in 1989, version 5. I worked with it, as a DBA in a customer site for 20 years. Version 5 through 11.

I experienced a lot of the insanity that is talked about in the book. One of my fondest memories is back when they finally got a somewhat stable release of version 6. I found a situation where a feature didn't work as documented. In those days the documentation was all on hard copy and anytime they did an update they sent you a case of manuals. I reported the problem. I was told that it was a known problem and they would send me a fix. True story, the fixed the problem by changing the documentation. They sent me a new copy of the documentation that no longer included the feature.

That being said, I feel like by version 7 or 8, they had the best relational database available for industrial strength UNIX applications.

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink


Response to UnrepentantLiberal (Original post)

Mon Jan 14, 2013, 06:10 AM

20. duplicate thread

Cannot reply in locked threads

Back to top Alert abuse Link here Permalink